CVE-2020-10663

Summary

CVE	CVE-2020-10663
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-04-28 21:15:00 UTC
Updated	2023-11-07 03:14:00 UTC
Description	The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

Risk And Classification

Problem Types: CWE-20

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Zookeeper	All	All	All	All
Operating System	Apple	Macos	11.0.1	All	All	All
Operating System	Apple	Mac Os	11.0.1	All	All	All
Operating System	Apple	Mac Os	11.0.1	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Fedoraproject	Fedora	30	All	All	All
Operating System	Fedoraproject	Fedora	31	All	All	All
Operating System	Fedoraproject	Fedora	30	All	All	All
Operating System	Fedoraproject	Fedora	31	All	All	All
Application	Json Project	Json	All	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Application	Ruby-lang	Ruby	All	All	All	All
Application	Ruby-lang	Ruby	All	All	All	All
Application	Ruby-lang	Ruby	All	All	All	All
Application	Ruby-lang	Ruby	All	All	All	All
Application	Ruby-lang	Ruby	All	All	All	All
Application	Ruby-lang	Ruby	All	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] Fedora 31 Update: rubygem-json-2.2.0-202.fc31 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Third Party Advisory
[security-announce] openSUSE-SU-2020:0586-1: moderate: Security update f	SUSE	lists.opensuse.org	Mailing List, Third Party Advisory
[SECURITY] Fedora 30 Update: rubygem-json-2.2.0-202.fc30 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
CVE-2020-10663 Ruby JSON gem Unsafe Object Creation Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com	Third Party Advisory
Full Disclosure: APPLE-SA-2020-12-14-4 Additional information for APPLE-SA-2020-11-13-1 macOS Big Sur 11.0.1	FULLDISC	seclists.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
About the security content of macOS Big Sur 11.0.1 - Apple Support	CONFIRM	support.apple.com	Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
[SECURITY] Fedora 31 Update: rubygem-json-2.2.0-202.fc31 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional fix)	CONFIRM	www.ruby-lang.org	Vendor Advisory
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[SECURITY] [DLA 2192-1] ruby2.1 security update	MLIST	lists.debian.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
Debian -- Security Information -- DSA-4721-1 ruby2.5	DEBIAN	www.debian.org	Third Party Advisory
[SECURITY] Fedora 30 Update: rubygem-json-2.2.0-202.fc30 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 31 Update: ruby-2.6.6-125.fc31 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Third Party Advisory
Pony Mail!		lists.apache.org
[SECURITY] Fedora 31 Update: ruby-2.6.6-125.fc31 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159290 Oracle Enterprise Linux Security Update for ruby:2.5 (ELSA-2021-2587)
159298 Oracle Enterprise Linux Security Update for ruby:2.6 (ELSA-2021-2588)
198302 Ubuntu Security Notification for Ruby2.3, Ruby2.5, Ruby2.7 Vulnerabilities (USN-4882-1)
239350 Red Hat Update for rh-ruby25-ruby (RHSA-2021:2104)
239368 Red Hat Update for rh-ruby26-ruby (RHSA-2021:2230)
239461 Red Hat Update for ruby:2.6 (RHSA-2021:2588)
239462 Red Hat Update for ruby:2.5 (RHSA-2021:2587)
240156 Red Hat Update for ruby:2.6 (RHSA-2022:0582)
296073 Oracle Solaris 11.4 Support Repository Update (SRU) 24.75.2 Missing (CPUJUL2020)
352370 Amazon Linux Security Advisory for ruby: ALAS2-2021-1641
356305 Amazon Linux Security Advisory for ruby : ALASRUBY2.6-2023-007
500613 Alpine Linux Security Update for ruby
504373 Alpine Linux Security Update for ruby
940189 AlmaLinux Security Update for ruby:2.6 (ALSA-2021:2588)
940401 AlmaLinux Security Update for ruby:2.5 (ALSA-2021:2587)
960022 Rocky Linux Security Update for ruby:2.6 (RLSA-2021:2588)
960035 Rocky Linux Security Update for pcs (RLSA-2020:2462)
960064 Rocky Linux Security Update for ruby:2.5 (RLSA-2021:2587)